Cybersecurity researchers have discovered a new variant of the Android Banking Trojan called Hook, which has a ransomware-style overlay screen to display fear tor messages.
“A notable feature of the latest variant is its ability to deploy full-screen ransomware overlays, which aims to force victims to pay ransom,” said Vishnu Pratapagiri, a researcher at Zimperium Zlabs. “This overlay presents an astonishing ‘*warning*’ message along with the wallet address and amount. Both are dynamically retrieved from the Command and Control Server. ”
The mobile security company said that when the command “Ransome” is issued by the C2 server, the overlay is started remotely. Overlays can be rejected by an attacker by sending the “delete_ransome” command.
The Hook is rated as a derivative of the ERMAC Banking Trojan horse. This coincided with the source code leaking into a publicly available directory on the Internet.
Like other bank malware targeting Android, you can display fake overlay screens on top of financial apps to steal user credentials and abuse Android accessibility services to remotely automate fraud and command devices.
Other notable features include the ability to send SMS messages to a given phone number, stream the victim’s screen, capture photos using the front camera, and steal cookies and recovery phrases related to cryptocurrency wallets.
The latest version per Zimperium shows a major advancement in supporting 107 remote commands with 38 new additions. This includes a transparent overlay to capture user gestures, and a deceptive prompt to trick victims into sharing sensitive data and collecting lock screen pins or patterns.
Here is a list of newly added commands:
Remove, use full screen WebView overlay to display fake NFC scan screen, read card data, unlock and unlock to unlock patterns or collect PIN codes, gain unauthorized access to your device Takencard, Google Interpace interface started in startifer in starce_gestiour interment interment interment starce intersed interment interpers interpers interpers interpers interpers intermenc
Hooks are thought to be distributed at large scale to host and spread malicious APK files using phishing websites and fake Github repositories. Other Android malware families distributed via GitHub include ERMAC and Brokewell, indicating a wider adoption among threat actors.
“The evolution of hooks shows that bank Trojans are rapidly converging with spyware and ransomware tactics. “The ongoing expansion of functionality and widespread distribution make these families more risky to financial institutions, businesses and end users.”
Anassa continues to evolve
This disclosure came as Zscaler threat detailed an updated version of Anatsa Banking Trojan. This expanded targets 831 banks and cryptocurrency services around the world, including those from Germany and South Korea from previously reported 650 people.
One of the apps in question is known to mimic the File Manager app (package name: com.synexa.fileops.fileedge_organizerviewer “). In addition to replacing the dynamic codeload of the remote Dalvik executable (DEX) payload with a direct installation of Trojan, the malware uses corrupted archives to hide the DEX payload that is deployed during runtime.
Anatsa also requires permissions for Android Accessibility Services. It allows additional permissions to send and receive SMS messages, and abuses itself to render content overlay Windows by rendering it overlays it.
Overall, the company identified 77 malicious apps from a variety of adware, maskware and malware families, including the Google Play Store Anatsa, Joker and Harly, and said it accounted for more than 19 million installations. Maskware refers to a category of apps that present themselves as legal applications or games to the app store, but incorporates malicious code loading or cloaking techniques to hide malicious content.
Harry is the Joker variant first flagged by Kaspersky in 2022. In March this year, Human Security said it had discovered 95 malicious applications, including Harly, hosted on the Google Play Store.
“Anassa continues to evolve and improve with anti-analytic technology to better avoid detection,” said security researcher Himansh Sharma. “Malware has also added support for over 150 new financial applications to its target.”
Source link
